Users infected with ransomware will not be able to pay to recover their files

Due to a US government sanction, users who perform transactions with the indicted persons will face high economic penalties

Have you been a victim of ransomware and are you trying to pay criminals to decrypt your files? Maybe you’d like to think twice because, according to cybersecurity and digital forensics specialists from the International Institute of Cyber Security, this would violate policies of the US government.

In the past days the Department of Justice (DOJ) revealed an indictment before a grand jury against two Iranian hackers, allegedly responsible for the SamSam ransomware campaign. As part of the evidence in this case, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) presented online cryptocurrency wallet addresses linked to individuals who participated in the conversion of ransomware payments to fiduciary currency.

“This is the first time that OFAC publicly provides digital currency addresses attributable to individuals subject to criminal prosecution,” the Department of Treasury said.

In this particular case, the cryptocurrency addresses were linked to the Iranian residents named Ali Khorashadizadeh and Mohammad Ghorbaniyan, who facilitated the exchange of ransomware payments to the Iranian currency. The addresses attributed to these individuals (1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V and 149w62rY42aZBox8fGcmqNsXUzSStKeq8C) contain a total of 5 901 Bitcoin. According to the current exchange rate of Bitcoin, this equates to over $23M USD.

According to experts in digital forensics, the OFAC has also added both Iranian citizens to the Specially Designated Nationals and Blocked Persons (SDN), which means that American individuals and organizations are prohibited from conducting any kind of transaction with them. This decision could also affect companies and people outside the US.

“As a result of this sanction, anyone who performs a transaction with Khorashadizadeh and Ghorbaniyan may be subject to secondary penalties,” mentions the OFAC announcement.

Because of this, if a user was infected ransomware and wants to pay the ransom, they should be very careful not to send money to these Bitcoin addresses. If so, they could face fines much higher than the ransomware payment.

This decision also affects the data recovery companies, as well as the negotiators expert in this kind of incidents, since they interact in a constant way with the ransomware developers.

Companies that offer response services to this kind of incidents will now need to take the necessary precautions and avoid at all costs any transaction with the individuals designated by the US government in order to avoid fines or any other possible legal consequence.

“The OFAC has made it clear; any US company that performs a cryptocurrency transfer, no matter the reason, will need to review the OFAC address list,” says Bill Siegel, an expert on cybersecurity. “Although it continues to be a gray area, paying to recover encrypted files with ransomware has become a common practice in the industry. The Department of Treasury has taken the first step towards a necessary minimum regulatory state.”

With the increase in ransomware attack cases, companies that offer data recovery services have also grown. However, many experts in digital forensics consider that many of these companies lack the necessary knowledge to recover the encrypted information, limiting themselves to negotiate with the developers of the malware and paying for the ransom requested by the attackers.